> On Nov. 23, 2015, 3:47 p.m., Jonathan Hurley wrote: > > What about using AOP for this kind of stuff? Instead of trying to find and > > sprinkle the code with a bunch of tightly coupled calls, you could easily > > intercept multiple join point matches. Kind of prevents problems with > > placing the checks in resource providers vs impls. I did notice that there > > were some checks added to AMCImpl - just seems like it's going to be hard > > to know what's covered and what isn't. > > Robert Levas wrote: > I guess we could create our own annotations, but it seems liked more work > than my current approach. In many caes, we need to look at the request to > determine if the user can perform the operation. For example, some fields can > only be updated based on role... or you can view/edit resources that you > _own_ but cannot have access or know about other resources of the same type - > for example, I shouldn't be able to _know_ whether a user with some username > exists.
I think if the API was RPC-based, it would be a different story and we would be able to annotate the interfaces rather than need to perform logic on the request data before determing authorization. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/40606/#review107642 ----------------------------------------------------------- On Nov. 23, 2015, 2:53 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/40606/ > ----------------------------------------------------------- > > (Updated Nov. 23, 2015, 2:53 p.m.) > > > Review request for Ambari, Jonathan Hurley, Nate Cole, Robert Nettleton, and > Sumit Mohanty. > > > Bugs: AMBARI-13977 > https://issues.apache.org/jira/browse/AMBARI-13977 > > > Repository: ambari > > > Description > ------- > > Enforce granular role-based access control for user functions: > > | Cluster | Service | Service | Cluster > | Cluster | > | User | Operator > | Administrator | Operator | Administrator | Administrator > ------------------------------|---------|----------|---------------|----------|---------------|-------------- > Create new clusters | | | | > | | (+) > Manage users | | | | > | | (+) > Assign permissions/roles | | | | > | | (+) > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementController.java > ea7603f > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java > 443c715 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AbstractResourceProvider.java > 3464c19 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java > 52b0d56 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProvider.java > 3670775 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProvider.java > bbcd4a1 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/PrivilegeResourceProvider.java > 88e9906 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProvider.java > 15aa0ec > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProvider.java > a8a9909 > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/UserResourceProvider.java > b993450 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java > 81794d8 > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AuthorizationHelper.java > 198e209 > > ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerImplTest.java > 1d9e53d > > ambari-server/src/test/java/org/apache/ambari/server/controller/AmbariManagementControllerTest.java > 385e3f7 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java > e74520e > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/AmbariPrivilegeResourceProviderTest.java > 68f1467 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterPrivilegeResourceProviderTest.java > 1412470 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserAuthorizationResourceProviderTest.java > e71c219 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserPrivilegeResourceProviderTest.java > e65786b > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/UserResourceProviderTest.java > 94f6fd7 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ViewPrivilegeResourceProviderTest.java > 8400efd > > ambari-server/src/test/java/org/apache/ambari/server/security/TestAuthenticationFactory.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java > 2efab89 > > Diff: https://reviews.apache.org/r/40606/diff/ > > > Testing > ------- > > Manually tested > > # Local test results: > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 57:31.344s > [INFO] Finished at: Mon Nov 23 14:52:50 EST 2015 > [INFO] Final Memory: 67M/1255M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >
